Deploy AnyConnect

Before You Begin
Deployment

If you are deploying the Umbrella Roaming Security module, any existing installation of the Umbrella Roaming Client will be
detected and removed automatically to prevent conflicts. If the existing installation of the Umbrella Roaming Client is associated
with an Umbrella service subscription, it will automatically be migrated to the Umbrella Roaming Security module unless an OrgInfo.json file is co-located with the AnyConnect installer, configured for web deployment or predeployed in the Umbrella
module's directory. You may wish to manually uninstall the Umbrella Roaming Client prior to deploying the Umbrella Roaming
Security module.

You must
additionally complete the following prerequisites if using the Umbrella Roaming
Security module:

Obtain Umbrella Roaming Account. The Umbrella dashboard http://dashboard.umbrella.com is the login page where you obtain necessary information for the operation of the AnyConnect Umbrella Roaming Security Module.
You also use this site to manage reporting for the roaming client activity.

Download the OrgInfo File from the Dashboard. To prepare for deploying the AnyConnect Umbrella Roaming Security Module, obtain the OrgInfo.json file from the Umbrella
dashboard. Click on Roaming Computer in the Identities menu structure and then click the + sign in the upper-left corner of the page. Scroll down to AnyConnect Umbrella Roaming Security Module and click Module Profile.

The OrgInfo.json file contains specific information about your Umbrella service subscription that lets the Roaming Security
module know where to report and which policies to enforce.

AnyConnect
Deployment Overview

Deploying AnyConnect refers to installing, configuring, and
upgrading the AnyConnect client and its related files.

The
Cisco AnyConnect Secure
Mobility Client
can be deployed to remote users by the following methods:

Predeploy—New installations and upgrades are done either by the end user, or by using an enterprise software management system
(SMS).

Web Deploy—The AnyConnect package is loaded on the headend, which is either an ASA or FTD firewall, or an ISE server. When
the user connects to a firewall or to ISE, AnyConnect is deployed to the client.

For new installations, the user connects to a headend to
download the AnyConnect client. The client is either installed manually, or
automatically (web-launch).

Updates are done by AnyConnect running on a system where
AnyConnect is already installed, or by directing the user to the ASA clientless
portal.

Cloud Update—After
the Umbrella Roaming Security module is deployed, you can update any AnyConnect
modules using one of the above methods, as well as Cloud Update. With Cloud
Update, the software upgrades are obtained automatically from the Umbrella
cloud infrastructure, and the update track is dependent upon that and not any
action of the administrator. By default, automatic updates from Cloud Update
are disabled.

Note

Consider the
following regarding Cloud Update:

Only the
software modules that are currently installed are updated.

Customizations, localizations, and any other deployment types
are not supported.

The
updates occur only when logged in to a desktop and will not happen if a VPN is
established.

With
updates disabled, the latest software features and updates will not be
available.

Disabling Cloud Update has no effect on other update mechanisms or settings (such as web deploy, deferred updates, and so
on).

When you deploy AnyConnect, you can include optional modules
that enable extra features, and client profiles that configure the VPN and
optional features.

Refer to the AnyConnect release notes for system, management, and endpoint requirements for ASA, IOS, Microsoft Windows, Linux, and macOS.

Note

Some third-party applications and operating systems may restrict the ISE posture agent and
other processes from necessary file access and privilege elevation. Make sure the
AnyConnect installation directory (C:\Program Files (x86)\Cisco for Windows or
/opt/cisco for macOS) is trusted and/or in the allowed/exclusion/trusted lists for
endpoint antivirus, antimalware, antispyware, data loss prevention, privilege
manager, or group policy objects.

Decide How to
Install AnyConnect

To upgrade AnyConnect or install additional modules using web deploy (from
ASA/ISE/Umbrella cloud with Downloader), you do not need administrative
privileges.

Web Deploying from an ASA or FTD device—User connects to the AnyConnect clientless portal on the headend device, and selects
to download AnyConnect. The ASA downloads the AnyConnect Downloader. The AnyConnect Downloader downloads the client, installs
the client, and starts a VPN connection.

Web Deploying from ISE—User
connects to the Network Access Device (NAD), such as an ASA, wireless
controller, or switch. The NAD authorizes the user, and redirects the user to
the ISE portal. The AnyConnect Downloader is installed on the client to manage
the package extraction and installation, but does not start a VPN connection.

To upgrade AnyConnect or install additional modules using predeploy (out of band
deployment, either manually or using SCCM and so on), you need administrative
privileges.

Using an Enterprise software management system (SMS).

Manually distributing an AnyConnect file archive, with instructions for the user about how to install. File archive formats
are zip for Windows, DMG for Mac OS X, and gzip for Linux.

Using Mobile
Broadband Cards with AnyConnect

Some 3G cards require configuration steps before using
AnyConnect. For example, the VZAccess Manager has three settings:

modem manually connects

modem auto connect except when roaming

LAN adapter auto connect

If you choose
LAN adapter auto connect, set the preference to NDIS mode.
NDIS is an always on connection where you can stay connected even when the
VZAccess Manager is closed. The VZAccess Manager shows an autoconnect LAN
adapter as the device connection preference when it is ready for AnyConnect
installation. When an AnyConnect interface is detected, the 3G manager drops
the interface and allows the AnyConnect connection.

When you move to a higher priority connection—wired networks are
the highest priority, followed by WiFi, and then mobile broadband—AnyConnect
makes the new connection before breaking the old one.

Add the ASA to the
List of Internet Explorer Trusted Sites on Windows

An Active Directory administrator can use a group policy to add
the ASA to the list of trusted sites in Internet Explorer. This procedure is
different from the way a local user adds trusted sites in Internet Explorer.

Procedure

Step 1

On the Windows Domain server, log in as a member of the Domain
Administrators group.

Step 2

Open the Active Directory Users and Computers MMC snap-in.

Step 3

Right-click the Domain or Organizational Unit where you want to
create the Group Policy Object and click
Properties.

Step 4

Select the
Group Policy tab and click
New.

Step 5

Type a name for the new Group Policy Object and press
Enter.

Step 6

To prevent this new policy from being applied to some users or
groups, click
Properties. Select the
Security tab. Add the user or group that you want to
prevent from having this policy, and then clear the
Read
and the
Apply Group Policy check boxes in the Allow column.
Click
OK.

Right-click
Security Zones and Content Ratings in the right
pane, and then click
Properties.

Step 9

Select
Import the current security zones and privacy
settings. If prompted, click
Continue.

Step 10

Click
Modify Settings, select
Trusted Sites, and click
Sites.

Step 11

Type the URL for the Security Appliance that you want to add to
the list of trusted sites and click
Add. The format can contain a hostname
(https://vpn.mycompany.com) or IP address (https://192.168.1.100). It can be an
exact match (https://vpn.mycompany.com) or a wildcard
(https://*.mycompany.com).

Step 12

Click
Close and click
OK continually until all dialog boxes close.

Step 13

Allow sufficient time for the policy to propagate throughout the
domain or forest.

Step 14

Click
OK in the Internet Options window.

Block Proxy Changes
in Internet Explorer

Under certain conditions, AnyConnect hides (locks down) the Internet Explorer Tools > Internet Options > Connections tab.
When exposed, this tab lets the user set proxy information. Hiding this tab prevents the user from intentionally or unintentionally
circumventing the tunnel. The tab lockdown setting is reversed upon disconnect. Tab lockdown is overridden by any administrator-defined
policies applied to that tab. The lockdown is applied when:

The ASA configuration specifies Connections tab lockdown

The ASA configuration specifies a private-side proxy

A Windows group policy previously locked down the Connections tab (overriding the no lockdown ASA group policy setting)

For Windows 10 version 1703 (or later), in addition to hiding the Connections Tab in Internet Explorer, AnyConnect hides (locks
down) the system proxy tab in the Settings app to prevent the user from intentionally or unintentionally circumventing the
tunnel. This lockdown is reversed upon disconnect.

Yes to enable proxy lockdown and hide the Internet
Explorer Connections tab during the AnyConnect session.

No to disable proxy lockdown and expose the Internet
Explorer Connections tab during the AnyConnect session.

Step 6

Click
OK to save the Proxy Server Policy changes.

Step 7

Click
Apply to save the Group Policy changes.

Configure How
AnyConnect Treats Windows RDP Sessions

You can configure AnyConnect to allow VPN connections from Windows RDP sessions. By default, users connected to a computer
by RDP are not able to start a VPN connection with the Cisco AnyConnect Secure Mobility Client. The following table shows
the logon and logout options for a VPN connection from an RDP session. These options are configured in the VPN client profile.

Preference Name

Values

Available in SBL Mode?

Windows Logon
Enforcement

Single Local Logon (Default)—Allows only one local user to be
logged on during the entire VPN connection. Also, a local user can establish a
VPN connection while one or more remote users are logged on to the client PC.
This setting has no effect on remote user logons from the enterprise network
over the VPN connection.

Note

If the VPN connection is configured for all-or-nothing
tunneling, then the remote logon is disconnected because of the resulting
modifications of the client PC routing table for the VPN connection. If the VPN
connection is configured for split-tunneling, the remote logon might or might
not be disconnected, depending on the routing configuration for the VPN
connection.

Single Logon—Allows only one user to be logged on during the
entire VPN connection. If more than one user is logged on, either locally or
remotely, when the VPN connection is being established, the connection is not
allowed. If a second user logs on, either locally or remotely, during the VPN
connection, the VPN connection terminates. No additional logons are allowed
during the VPN connection, so a remote logon over the VPN connection is not
possible.

Note

Multiple
simultaneous logons are not supported.

Yes

Windows VPN
Establishment

Local Users Only (Default)—Prevents a remotely logged-on user
from establishing a VPN connection. This is the same functionality as in prior
versions of AnyConnect.

Allow Remote Users—Allows remote users to establish a VPN
connection. However, if the configured VPN connection routing causes the remote
user to become disconnected, the VPN connection terminates to allow the remote
user to regain access to the client PC. Remote users must wait 90 seconds after
VPN establishment if they want to disconnect their remote login session without
causing the VPN connection to be terminated.

Configure How AnyConnect Treats Linux SSH Sessions

You can configure AnyConect to allow VPN connections from Linux SSH sessions. By default, users connected to a computer by
SSH are not able to start a VPN connection with the Cisco AnyConnect Secure Mobility Client. The following table shows the
logon and logout options for a VPN connection from an SSH session. These options are configured in the VPN client profile.

Linux Login Enforcement— Single Local Logon (Default): Allows only one local user to be logged on during the entire VPN connection. Also, a local
user can establish a VPN connection while one or more remote users are logged on to the client PC. This setting has no effect
on remote user logons from the enterprise network over the VPN connection.

Note

If the VPN connection is configured for all-or-nothing tunneling, then the remote logon is disconnected because of the resulting
modifications of the client PC routing table for the VPN connection. If the VPN connection is configured for split-tunneling,
the remote logon might or might not be disconnected, depending on the routing configuration for the VPN connection.

Single Logon—Allows only one user to be logged on during the entire VPN connection. If more than one user is logged on (either locally
or remotely) when the VPN connection is being established, the connection is not allowed. If a second user logs on (either
locally or remotely) during the VPN connection, the VPN connection terminates. No additional logons are allowed during the
VPN connection, so a remote logon over the VPN connection is not possible.

Linux VPN Establishment—

Local Users Only (Default)—Prevents a remotely logged-on user from establishing a VPN connection.

DES-Only SSL
Encryption on Windows

By default, Windows does not support DES SSL encryption. If you
configure DES-only on the ASA, the AnyConnect connection fails. Because
configuring these operating systems for DES is difficult, we do not recommend
that you configure the ASA for DES-only SSL encryption.

Using NVM on Linux

Before using NVM on Linux, you must set up a kernel driver framework (KDF). You can choose to prebuild an AnyConnect Kernel
Module or build the driver on target. If you choose to build on target, no action is required; the build is handled automatically
during deployment or during reboot.

Prerequisites to Build the AnyConnect Kernel Module

For RHEL, install the package kernel-devel-$(uname -r), such as kernel-devel-2.6.32-642.13.1.el6.x86_64.

For Ubuntu, install the package linux-headers-$(uname -r), such as linux-headers-4.2.0-27-generic.

Make sure that the GCC compiler is installed. The major.minor version of the installed GCC compiler should match the GCC version with which the kernel was built. You can verify this in
the /proc/version file.

Package NVM with Prebuilt AnyConnect Linux Kernel Module

Before you begin

The AnyConnect NVM can be packaged with a pre-built
AnyConnect Linux Kernel Module so that you do not need to build it on every target
device, especially when the target devices have the same OS kernel version. If you
decide to not use the pre-built option, you can use on target, which happens
automatically during deployment or reboot without administrator input.
Alternatively, if your deployment doesn't have the kernel prerequisites on all
endpoints, you could use the pre-built option.

Note

Web deployment is not supported with the pre-built AnyConnect Linux Kernel
Module.

Procedure

After running the script,
anyconnect-linux64-<version>-ac_kdf_ko-k9.tar.gz gets created,
which includes the AnyConnect Linux Kernel Module build. On Secure Boot enabled systems,
sign the module with a private key allowed by Secure Boot. This file can only be used
for predeploy.

What to do next

When the target device's OS kernel is upgraded, you must re-deploy the AnyConnect NVM with the updated Linux Kernel Module.

Predeploying AnyConnect

AnyConnect can be predeployed by using an SMS, manually by distributing files for end users to install, or making an AnyConnect
file archive available for users to connect to.

Before you begin

If you
manually deploy the VPN profile, you must also upload the profile to the
headends. When the client system connects, AnyConnect verifies that the profile
on the client matches the profile on the headend. If you have disabled profile
updates, and the profile on the headend is different from the client, then the
manually deployed profile will not work.

If you
manually deploy the AnyConnect ISE Posture profile, you must also upload that
file to ISE.

The Umbrella Roaming Security Module is not available in the Linux operating system.

Step 2

Create client profiles: some modules and features require a
client profile.

The following modules require a client profile:

AnyConnect VPN

AnyConnect Network Access Manager

AnyConnect Web Security

AnyConnect
ISE Posture

AnyConnect AMP Enabler

Network Visibility Module

Umbrella Roaming Security Module

The following modules do not require an AnyConnect client
profile:

AnyConnect VPN Start Before Logon

AnyConnect Diagnostic and Reporting Tool

AnyConnect Posture

AnyConnect Customer Experience Feedback

You can create client profiles in ASDM, and copy those files to
your PC. Or, you can use the stand-alone profile editor on a Windows PC. See
About
the Profile Editor for more information about the Windows stand-alone
editor.

After you have
created all the files for AnyConnect installation, you can distribute them in
an archive file, or copy the files to the client. Make sure that the same
AnyConnect files are also on the headends you plan to connect to, ASA and ISE.

AnyConnect Module Executables for Predeploy and Web Deploy

The following table shows the filenames on the endpoint computer when you predeploy or web deploy the Umbrella Roaming Security
Module, Network Access Manager, AMP Enabler, ISE Posture, Web Security, and Network Visibility Module clients to a Windows
computer.

Table 1. Module Filenames for Web Deployment or Predeployment

Module

Web-Deploy Installer (Downloaded)

Predeploy Installer

Network Access Manager

anyconnect-win-version-nam-webdeploy-k9.msi

anyconnect-win-version-nam-predeploy-k9.msi

Web Security

anyconnect-win-version-websecurity-webdeploy-k9.exe

anyconnect-win-version-websecurity-predeploy-k9.msi

ISE Posture

anyconnect-win-version-iseposture-webdeploy-k9.msi

anyconnect-win-version-iseposture-predeploy-k9.msi

AMP Enabler

anyconnect-win-version-amp-webdeploy-k9.msi

anyconnect-win-version-amp-predeploy-k9.exe

Network Visibility Module

anyconnect-win-version-nvm-webdeploy-k9.exe

anyconnect-win-version-nvm-predeploy-k9.msi

Umbrella Roaming Security Module

anyconnect-win-version-umbrella-webdeploy-k9.exe

anyconnect-win-version-umbrella-predeploy-k9.msi

AnyConnect 4.3 (and later) has moved to the Visual Studio 2015
build environment and requires VS redistributable files for its Network Access
Manager Module functionality. These files are installed as part of the install
package. You can use the .msi files to upgrade the Network Access Manager
Module to 4.3 (or later), but the AnyConnect Secure Mobility Client must be
upgraded first and running release 4.3 (or later).

Note

If you have a Windows server OS, you may experience installation errors when attempting to install AnyConnect Network Access
Manager. The WLAN service is not installed by default on the server operating system, so you must install it and reboot the
PC. The WLANAutoconfig service is a requirement for the Network Access Manager to function on any Windows operating system.

Locations to Predeploy the AnyConnect Profiles

If you are copying the files to the client system, the following
tables show where you must place the files.

Table 2. AnyConnect Core Files

File

Description

anyfilename.xml

AnyConnect profile. This file specifies the features and attribute values configured for a particular user type.

AnyConnectProfile.xsd

Defines the XML schema format. AnyConnect uses this file to validate the profile.

In order to enable the Umbrella Roaming Security module, you must copy the OrgInfo.json file from the Umbrella dashboard and
place it into this target directory without any renaming. You can alternatively co-locate the OrgInfo.json file with the Umbrella
Roaming Security module installer, placing the file in \Profiles\umbrella before installation.

In order to enable the Umbrella Roaming Security module, you must copy the OrgInfo.json file from the Umbrella dashboard and
place it into this target directory without any renaming. You can alternatively co-locate the OrgInfo.json file with the Umbrella
Roaming Security module installer, placing the file in \Profiles\umbrella before installation.

Linux

NVM

/opt/cisco/anyconnect/NVM

All other modules

/opt/cisco/anyconnect/profile

Guidelines for Cloning VMs With AnyConnect (Windows Only)

AnyConnect endpoints are uniquely identified by a Universal Device Identifier (UDID), which all modules of AnyConnect use.
When a Windows VM is cloned, the UDID remains the same for all the clones from a source. To avoid any potential issues with
cloned VMs, follow this action before using AnyConnect:

Save a copy of the obfuscated client profile to the proper Windows folder.

Step 5

Restart the Cisco AnyConnect service.

Deploying AnyConnect Modules as Standalone Applications

You can deploy the AnyConnect Network Access Manager, Web Security, and Umbrella Roaming Security Modules as standalone applications
on a user computer. DART is supported with these applications.

Refer to Standalone NVM for details about its advantages and
method of deployment.

Requirements

The VPNDisable_ServiceProfile.xml file must also be the only
AnyConnect profile in the VPN client profile directory.

User Installation of
Stand-Alone Modules

You can break out the individual installers and distribute them
manually.

If you decide to make the zip image available to your users, and then ask to install it, be sure to instruct them to install
only the stand-alone modules.

Note

If a previous installation of Network Access Manager did not
exist on the computer, the user must reboot the computer to complete the
Network Access Manager installation. Also, if the installation is an upgrade
that required upgrading some of the system files, the user must reboot.

Procedure

Doing so disables the VPN functionality of the core client, and the Install Utility installs the Network Access Manager, Web
Security, or Umbrella Roaming Security Module as stand-alone applications with no VPN functionality.

Step 3

(Optional) Check the Lock Down Component Services check box. The lockdown component service prevents users from switching off or stopping the Windows service.

Step 4

Instruct users to run the installers for the optional modules,
which can use the AnyConnect GUI without the VPN service. When the user clicks
the Install Selected button, the following happens:

The Network Access Manager, Web Security Module, or Umbrella Roaming Security Module is enabled without VPN service on the
computer.

Predeploying to Windows

Distributing AnyConnect Using the zip File

Predeployment zip Modifications

The zip package file contains the Install Utility, a selector menu program to launch the individual component installers,
and the MSIs for the core and optional AnyConnect modules. When you make the zip package file available to users, they run
the setup program (setup.exe). The program displays the Install Utility menu, from which users choose which AnyConnect modules
to install. You probably do not want your users to chose which modules to load. So if you decide to distribute using a zip
file, edit the zip to remove the modules you do not want to use, and edit the HTA file.

One way to distribute an ISO is by using virtual CD mount software, such as SlySoft or PowerIS.

Update the zip file with any profiles that you created when you bundled the files, and to remove any installers for modules
that you do not want to distribute.

Edit the HTA file to personalize the installation menu, and to remove links to any module installers that you do not want
to distribute.

Contents of the AnyConnect zip File

File

Purpose

GUI.ico

AnyConnect icon image.

Setup.exe

Launches the Install Utility.

anyconnect-win-version-dart-predeploy-k9.msi

MSI installer file for the DART module.

anyconnect-win-version-gina-predeploy-k9.msi

MSI installer file for the SBL module.

anyconnect-win-version-iseposture-predeploy-k9.msi

MSI installer for the ISE Posture module.

anyconnect-win-version-amp-predeploy-k9.exe

MSI installer file for the AMP Enabler.

anyconnect-win-version-nvm-predeploy-k9.msi

MSI installer file for the Network Visibility Module.

anyconnect-win-version-umbrella-predeploy-k9.msi

MSI installer file for the Umbrella Roaming Security Module.

anyconnect-win-version-nam-predeploy-k9.msi

MSI installer file for the Network Access Manager module.

anyconnect-win-version-posture-predeploy-k9.msi

MSI installer file for the posture module.

anyconnect-win-version-websecurity-predeploy-k9.msi

MSI installer file for the Web Security module.

anyconnect-win-version-core-vpn-predeploy-k9.msi

MSI installer file for the AnyConnect core client.

autorun.inf

Information file for setup.exe.

eula.html

Acceptable Use Policy.

setup.hta

Install Utility HTML Application (HTA), which you can customize for your site.

Distributing
AnyConnect Using an SMS

After extracting the installers (*.msi) for the modules you want to deploy from the zip image, you can distribute them manually.

Requirements

When installing AnyConnect onto Windows, you must disable either
the AlwaysInstallElevated or the Windows User Account Control (UAC) group
policy setting. If you do not, the AnyConnect installers may not be able to
access some directories required for installation.

Microsoft Internet Explorer (MSIE) users should add the headend
to the list of trusted sites or install Java. Adding to the list of trusted
sites enables the ActiveX control to install with minimal interaction from the
user.

Profile
Deployment Process

If you are using the MSI installer, the MSI picks any profile that has been placed in the Profiles folder and places it in
the appropriate folder during installation. The proper folder paths are available in the predeployment MSI file available
on CCO.

If you are predeploying the profile manually after the installation, copy the profile manually or use an SMS, such as Altiris,
to deploy the profile to the appropriate folder.

Make sure you put the same client profile on the headend that you predeploy to the client. This profile must also be tied
to the group policy being used on the ASA. If the client profile does not match the one on the headend or if it is not tied
to the group policy, you can get inconsistent behavior, including denied access.

AnyConnect
Sample Windows Transform

Cisco provides example Windows transforms, along with documents that describe how to use the transforms. A transform that
starts with an underscore character (_) is a general Windows transform which allows you to apply only certain transforms to
certain module installers. Transforms that start with an alphabetic character are VPN transforms. Each transform has a document
that explains how to use it. The transform download is sampleTransforms-x.x.x.zip.

Windows Predeployment Security Options

Cisco recommends that end users are given limited rights on the
device that hosts the
Cisco AnyConnect Secure
Mobility Client.
If an end user warrants additional rights, installers can provide a lockdown
capability that prevents users and local administrators from switching off or
stopping those Windows services established as locked down on the endpoint. In
the Web Security module, you can use a service password to put the client in
bypass mode. You can also prevent users from uninstalling AnyConnect.

Windows Lockdown
Property

Each MSI installer supports a common property (LOCKDOWN) which,
when set to a non-zero value, prevents the Windows service(s) associated with
that installer from being controlled by users or local administrators on the
endpoint device. We recommend that you use the sample transform
(anyconnect-vpn-transforms-X.X.xxxxx.zip) provided at the time of install to
set this property and apply the transform to each MSI installer that you want
to have locked down. The lockdown option is also a check box within the ISO
Install Utility.

Hide AnyConnect
from Add/Remove Programs List

You can hide the installed AnyConnect modules from users that
view the Windows Add/Remove Programs list. If you launch any installer using
ARPSYSTEMCOMPONENT=1, that module will not appear in the Windows Add/Remove
Programs list.

We recommend that you use the sample transform
(anyconnect-vpn-transforms-X.X.xxxxx.zip) that we provide to set this property.
Apply the transform to each MSI installer for each module that you want to
hide.

AnyConnect Module
Installation and Removal Order on Windows

The module installers verify that they are the same version as
the core client before starting to install. If the versions do not match, the
module does not install, and the installer notifies the user of the mismatch.
If you use the Install Utility, the modules in the package are built and
packaged together, and the versions always match.

Procedure

In Windows and macOS, a restricted user account (ciscoacvpnuser) is created to enforce the principle of least privilege only
when the management tunnel feature is detected as enabled. This account gets removed during AnyConnect uninstallation or during
an installation upgrade.

Install and Uninstall AnyConnect on macOS

AnyConnect for macOS is distributed in a DMG file, which includes all the AnyConnect modules. When users open the DMG file,
and then run the AnyConnect.pkg file, an installation dialog starts, which guides the user through installation. On the Installation
Type screen, the user is able to select which packages (modules) to install.

To remove any of the AnyConnect modules from your distribution, use the Apple pkgutil tool, and sign the package after modifying
it. You can also modify the installer with ACTransforms.xml. You can customize the language and appearance and change some
other install actions, which is described in the Customization chapter: Customize Installer Behavior on macOS with ACTransforms.xml.

Installing AnyConnect Modules on macOS as a Standalone Application

You can install just the Web Security, Network Visibility Module, or Umbrella Roaming Security Module without the VPN. The
VPN and AnyConnect UI are not used.

The following procedure explains how to customize the modules by installing the standalone Profile Editor, creating a profile,
and adding that profile to the DMG package. It also sets the AnyConnect user interface to start automatically on boot-up,
which enables AnyConnect to provide the necessary user and group information for the module.

Procedure

Open the file to
access the installer. Note that the downloaded image is a read-only file.

Step 3

Make the
installer image writable by either running the Disk Utility or using the
Terminal application, as follows:

hdiutil
convert <source dmg> -format UDRW -o <output dmg>

Step 4

Install the stand-alone Profile Editor on a computer running a Windows operating system. You must select the AnyConnect modules
you want as part of a Custom installation or a Complete installation. They are not installed by default.

Step 5

Start the
profile editor and create a profile.

Step 6

Save the profile appropriately as WebSecurity_ServiceProfile.xml, or OrgInfo.json (that you get from the dashboard) in a secure location.

For these modules, the profile editor creates an additional obfuscated version of the profile, such as WebSecurity_ServiceProfile.wso for web security and saves it to the same location as you saved the file, such as WebSecurity_ServiceProfile.xml for web security. Follow these steps to complete the obfuscation:

Copy the specified .wso file from the Windows device to the macOS installer package in the appropriate folder path, such as
AnyConnect x.x.x/Profiles/websecurity for web security. Or, use the Terminal application, as shown below for web security instance:

In the macOS installer, go to the AnyConnect x.x.x/Profiles directory and open the ACTransforms.xml file in TextEdit for editing. Set the <DisableVPN> element to true to ensure that VPN functionality is not installed:

<ACTransforms>

<DisableVPN>true</DisableVPN>

</ACTransforms>

The AnyConnect DMG package is now ready to distribute to your users.

Step 7

Save the profile appropriately as WebSecurity_ServiceProfile.xml, NVM_ServiceProfile.xml, or OrgInfo.json (that you get from the dashboard) in a secure location.

For these modules, the profile editor creates an additional obfuscated version of the profile, such as WebSecurity_ServiceProfile.wso for web security and saves it to the same location as you saved the file, such as WebSecurity_ServiceProfile.xml for web security. Follow these steps to complete the obfuscation:

Copy the specified .wso file from the Windows device to the macOS installer package in the appropriate folder path, such as
AnyConnect x.x.x/Profiles/websecurity for web security. Or, use the Terminal application, as shown below for web security instance:

In the macOS installer, go to the AnyConnect x.x.x/Profiles directory and open the ACTransforms.xml file in TextEdit for editing. Set the <DisableVPN> element to true to ensure that VPN functionality is not installed:

<ACTransforms>

<DisableVPN>true</DisableVPN>

</ACTransforms>

The AnyConnect DMG package is now ready to distribute to your users.

Restrict Applications on macOS

Gatekeeper restricts which applications are allowed to run on
the system. You can choose to permit applications downloaded from:

The current version of AnyConnect is signed application using an Apple certificate. If Gatekeeper is configured for Mac App
Store (only), then you must either select the Anywhere setting or control-click to bypass the selected setting to install
and run AnyConnect from a predeployed installation. For more information see: http://www.apple.com/macosx/mountain-lion/security.html.

Predeploying to Linux

Installing Modules for Linux

You can break out the individual installers for Linux and distribute them manually. Each installer in the predeploy package
can run individually. Use a compressed file utility to view and extract the files in the tar.gz file.

Manually Installing/Uninstalling NVM on a Linux Device

Procedure

You can uninstall NVM using /opt/cisco/anyconnect/bin/nvm_uninstall.sh.

Initializing Server
Certificate Verification with Firefox

If you will be using server certificates with AnyConnect, you
must make a certificate store available for AnyConnect to access and verify
certificates as trusted. By default, AnyConnect uses the Firefox certificate
store.

To Activate a Firefox
Certificate Store

After you have AnyConnect installed on a Linux device, and
before you attempt an AnyConnect connection for the first time, open up a
Firefox browser. When you open Firefox, a profile is created, which includes a
certficate store.

If You Do Not Use the Firefox
Certificate Store

If you opt not to use Firefox, you must configure the local
policy to exclude the Firefox certificate store, and must configure the PEM
store.

Multiple Module
Requirement

If you deploy the core client plus one or more optional modules,
you must apply the lockdown property to each of the installers. Lockdown is
described in the
Windows Predeployment MSI Examples.

If you choose to activate lockdown to the VPN installer, you
will consequently be locking down AMP Enabler as well.

Manually Installing
DART on a Linux Device

Store anyconnect-dart-linux-(ver)-k9.tar.gz locally.

From a terminal, extract the tar.gz file using the
tar -zxvf <path to tar.gz file including
the file name command.

From a terminal, navigate to the extracted folder and run
dart_install.sh using the
sudo ./dart_install.sh command.

Accept the license agreement and wait for the installation to
finish.

Note

You can only uninstall DART using
/opt/cisco/anyconnect/dart/dart_uninstall.sh.

Web Deploying AnyConnect

Web deployment refers to the AnyConnect Downloader on the client system
getting AnyConnect software from a headend, or to using the portal on the headend to
install or update AnyConnect. As an alternative to our traditional web launch which
relied too heavily on browser support (and Java and ActiveX requirements), we improved
the flow of auto web deploy, which is presented at initial download and upon launch from
a clientless page. Automatic provisioning (Weblaunch) works on all browsers that support
NPAPI (Netscape Plugin Application Programming Interface) as well as browsers that
support ActiveX.

Web Deployment with the ASA

The Clientless Portal on the ASA web deploys AnyConnect. The process flow is:

Users open a browser and connect to the ASA’s
clientless portal. On the portal, the users click the Start AnyConnect Client
button. They can then download the AnyConnect package manually. If they are running
a browser that supports NPAPI (Netscape Plugin Application Programming Interface)
plugins, they can also use the tab to launch the automatic web provisioning using
weblaunch (ActiveX or Java).

ASA Web-Deployment
Restrictions

Loading multiple AnyConnect packages for the same O/S to the ASA is not
supported.

The OPSWAT definitions are not included in the VPN posture (HostScan) module
when web deploying. You must either manually deploy the HostScan module or
load it on the ASA in order to deliver the OPSWAT definitions to the client.

If your ASA has only the default internal flash memory
size, you could have problems storing and loading multiple AnyConnect client
packages on the ASA. Even if you have enough space on flash to hold the
package files, the ASA could run out of cache memory when it unzips and
loads the client images. For more information about the ASA memory
requirements when deploying AnyConnect, and possibly upgrading the ASA
memory, see the latest release notes for your VPN Appliance.

Users can connect to the ASA using the IP address or
DNS, but the link-local secure gateway address is not supported.

For Windows 7 SP1 users, we recommend that you install Microsoft .NET framework 4.0 before
installation or initial use. At startup, the Umbrella service checks if .NET
framework 4.0 (or newer) is installed. If it is not detected, the Umbrella
Roaming Security module is not activated, and a message is displayed. To go
and then install the .NET Framework, you must reboot to activate the
Umbrella Roaming Security module.

Web Deployment with ISE

Policies on ISE
determine when the AnyConnect client will be deployed. The user opens a browser
and connects to a resource controlled by ISE and is redirected to the
AnyConnect Client Portal. That ISE Portal helps the user download and install
AnyConnect. In Internet Explorer, ActiveX controls guide the installation. For
other browsers, the Portal downloads the Network Setup Assistant, and that
tools helps the user install AnyConnect.

ISE Deployment
Restrictions

If both ISE and ASA are web deploying AnyConnect, the configurations must match on both headends.

The ISE server
can only be discovered by the AnyConnect ISE Posture agent if that agent is
configured in the ISE Client Provisioning Policy. The ISE administrator
configures either the NAC Agent or the AnyConnect ISE Posture module under
Agent Configuration > Policy > Client Provisioning.

You should not
have different versions for the same operating system on the ASA.

Load the AnyConnect
Package on the ASA

Procedure

Step 1

Navigate to
Configuration
> Remote
Access > VPN > Network (Client)
Access > AnyConnect Client
Software . The AnyConnect Client Images panel
displays the AnyConnect images currently loaded on the ASA. The order in which
the images appear is the order the ASA downloads them to remote computers.

Step 2

To add an AnyConnect image, click
Add.

Click
Browse Flash to select an AnyConnect image you have already
uploaded to the ASA.

Click
Upload to browse to an AnyConnect image you have stored
locally on your computer.

Step 3

Click
OK or
Upload.

Step 4

Click
Apply.

Enable Additional
AnyConnect Modules

To enable additional features, specify the new module names in
the group-policy or Local Users configuration. Be aware that enabling
additional modules impacts download time. When you enable features, AnyConnect
must download those modules to the VPN endpoints.

Note

If you choose
Start Before Logon, you must also enable this feature in the AnyConnect client
profile.

Procedure

In the
navigation pane, select
VPN
Policy
> AnyConnect
Client. At
Client Modules to Download,
click
Add and choose each module you want to add to this
group policy. The modules that are available are the ones you added or uploaded
to the ASA.

Step 4

Click
Apply and save your changes to the group policy.

Create a Client
Profile in ASDM

You must add an AnyConnect web-deployment package to the ASA
before you can create a client profile on the ASA.

Procedure

Select the client profile you want to associate with a group and
click
Change Group Policy.

Step 3

In the Change Policy for Profile policy name window, choose a
group policy from the Available Group Policies field and click the right arrow
to move it to the Policies field.

Step 4

Click
OK.

Step 5

In the AnyConnect Client Profile page, click
Apply.

Step 6

Click
Save.

Step 7

When you have finished with the configuration, click
OK.

Configuring Web Deployment on ISE

ISE can configure and
deploy the AnyConnect core, ISE Posture module and OPSWAT (compliance module)
to support posture for ISE. ISE can also deploy all the AnyConnect modules and
resources that can be used when connecting to an ASA. When a user browses to a
resource controlled by ISE:

If ISE is behind
an ASA, the user connects the ASA, downloads AnyConnect, and makes a VPN
connection. If AnyConnect ISE Posture was not installed by the ASA, then the
user is redirected to the AnyConnect Client Portal to install the ISE Posture.

If ISE is not
behind an ASA, the user connects to the AnyConnect Client Portal, which guides
him to install the AnyConnect resources defined in the AnyConnect configuration
on ISE. A common configuration is to redirect the browser to AnyConnect client
provisioning portal if the ISE Posture status is unknown.

When the user is
directed to the AnyConnect Client Provisioning Portal in ISE:

If the browser is Internet Explorer, ISE downloads AnyConnect Downloader, and the Downloader loads AnyConnect.

For all other browsers, ISE opens the client provisioning redirection portal, which displays a link to download the Network
Setup Assistant (NSA) tool. The user runs the NSA, which finds the ISE server, and downloads the AnyConnect downloader.

When the NSA is done running in Windows, it deletes itself. When it is done running on macOS, it must be manually deleted.

The ISE documentation
describes how to:

Create AnyConnect
Configuration profiles in ISE

Add AnyConnect Resources to ISE from a local device

Add AnyConnect
Provisioning Resources from a Remote Site

Deploy the
AnyConnect client and resources

Note

Because AnyConnect ISE posture module does not support web proxy based redirection in discovery, Cisco recommends that you
use non-redirection based discovery. You can find further information in the Client Provisioning Without URL Redirection for
Different Networks section of the Cisco Identity Services Engine Administrator Guide.

Prepare AnyConnect
Files for ISE Upload

Download the
AnyConnect packages for your operating systems, and other AnyConnect resources
that you want to deploy to your local PC.

Note

With ASA, installation happens with the VPN downloader. With the download, the ISE posture profile is pushed via ASA, and
the discovery host needed for later provisioning the profile is available before the ISE posture module contacts ISE. Whereas
with ISE, the ISE posture module will get the profile only after ISE is discovered, which could result in errors. Therefore,
ASA is recommended to push the ISE posture module when connected to a VPN.

Create profiles for the modules you plan to deploy. At a minimum, create an AnyConnect ISE Posture profile.

Combine
customization and localization resources into a ZIP archive, which is called a
bundle in ISE. A bundle can contain:

Select
Add > Agent resources from local
disk, and upload the AnyConnect package file. Repeat
adding agent resources from local disk for any other AnyConnect resources that
you plan to deploy.

Select Add > AnyConnect Configuration > . This AnyConnect Configuration configures modules, profiles, customization/language packages, and the OPSWAT package, as described
in the following table.

The AnyConnect ISE
Posture profile can be created and edited in ISE, on the ASA, or in the Windows
AnyConnect Profile Editor. The following table describes the name of each
AnyConnect resource, and the name of the resource type in ISE.

Table 5. AnyConnect
Resources in ISE

Prompt

ISE Resource Type and Description

AnyConnect
Package

AnyConnectDesktopWindows

AnyConnectDesktopOSX

AnyConnectWebAgentWindows

AnyConnectWebAgentOSX

Compliance
Module

AnyConnectComplianceModuleWindows

AnyConnectComplianceModuleOSX

AnyConnect
Profiles

AnyConnectProfile

ISE displays
a checkbox for each profile provided by the uploaded AnyConnect package.

Customization
Bundle

AnyConnectCustomizationBundle

Localization
Bundle

AnyConnectLocalizationBundle

Create a Role or
OS-based client provisioning policy. AnyConnect and the ISE legacy NAC/MAC
agent can be selected for Client provisioning posture agents. Each CP policy
can only provision one agent, either the AnyConnect agent or the legacy NAC/MAC
agent. When configuring the AnyConnect agent, select one AnyConnect
Configuration created in step 2.

Configuring Web Deployment on FTD

A Firepower Threat Defense (FTD) device is a Next Generation Firewall (NGFW) that provides secure gateway capabilities similar
to the ASA. FTD devices support Remote Access VPN (RA VPN) using the AnyConnect Secure Mobility Client only, no other clients,
or clientless VPN access is supported. Tunnel establishment and connectivity are done with IPsec IKEv2 or SSL. IKEv1 is not
supported when connecting to an FTD device.

Windows, Mac, and Linux AnyConnect clients are configured on the FTD headend and deployed upon connectivity; giving remote
users the benefits of an SSL or IKEv2 IPsec VPN client without the need for client software installation and configuration.
In the case of a previously installed client, when the user authenticates, the FTD headend examines the revision of the client,
and upgrades the client as necessary.

Without a previously installed client, remote users enter the IP address of an interface configured to download and install
the AnyConnect client. The FTD headend downloads and installs the client that matches the operating system of the remote computer,
and establishes a secure connection.

The AnyConnect apps for Apple iOS and Android devices are installed from the platform app store. They require a minimum configuration
to establish connectivity to the FTD headend. As with other headend devices and environments, alternative deployment methods,
as described in this chapter, can also be used to distribute the AnyConnect software.

Currently, only the core AnyConnect VPN module and the AnyConnect VPN Profile can be configured on the FTD and distributed
to endpoints. A Remote Access VPN Policy wizard in the Firepower Management Center (FMC) quickly and easily sets up these
basic VPN capabilities.

Guidelines and Limitations for AnyConnect and FTD

The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported.
Clientless VPN is not supported as its own entity; it is only used to deploy the AnyConnect Client.

Using AnyConnect with FTD requires version 4.0 or later of AnyConnect, and version 6.2.1 or later of the FMC.

There is no inherent support for the AnyConnect Profile Editor in the FMC; you must configure the VPN profiles independently.
The VPN Profile and AnyConnect VPN package are added as File Objects in the FMC, which become part of the RA VPN configuration.

Secure Mobility, Network Access Management, and all the other AnyConnect modules and their profiles beyond the core VPN capabilities
are not currently supported.

VPN Load balancing is not supported.

Browser Proxy is not supported.

All posture variants (HostScan, Endpoint Posture Assessment, and ISE) and Dynamic Access Policies based on the client posture
are not supported.

The Firepower Threat Defense device does not configure or deploy the files necessary to customize or localize AnyConnect.

Features requiring Custom Attributes on the AnyConnect Client are not supported on FTD such as: Deferred Upgrade on desktop
clients and Per-App VPN on mobile clients.

Authentication cannot be done on the FTD headend locally; therefore, configured users are not available for remote connections,
and the FTD cannot act as a Certificate Authority. Also, the following authentication features are not supported:

Updating AnyConnect
Software and Profiles

AnyConnect can be updated in several ways.

AnyConnect Client—When AnyConnect connects to the ASA, the
AnyConnect Downloader checks to see if any new software or profiles have been
loaded on the ASA. It downloads those updates to the client, and the VPN tunnel
is established.

Cloud Update—The Umbrella Roaming Security Module can provide automatic updates for all installed AnyConnect modules from
the Umbrella Cloud infrastructure. With Cloud Update, the software upgrades are obtained automatically from the Umbrella Cloud
infrastructure, and the update track is dependent upon that and not any action of the administrator. By default, automatic
updates from Cloud Update are disabled.

ISE—When a user connects to ISE, ISE uses its AnyConnect configuration to decide if there are updated components or new posture
requirements. Upon authorization, the Network Access Device (NAD) redirects the users to the ISE portal, and the AnyConnect
downloader is installed on the client to manage the package extraction and installation. We recommend that you upload the
deploy package to the ASA headend and make sure that the versions of AnyConnect client match the ASA and ISE deployment package
versions.

Receiving a message that "automatic software updates are required but cannot be performed while the VPN tunnel is established"
indicates that the configured ISE policy requires updates. When the AnyConnect version on the local device is older than what's
configured on ISE, you have the following options, because client updates are not allowed while the VPN is active:

Deploy AnyConnect update out of band

Configure the same version of AnyConnect on the ASA and ISE

You can allow the end user to delay updates, and you can also
prevent clients from updating even if you do load updates to the headend.

Upgrade Example
Flows

Prerequisites

The following
examples assume that:

You have created a Dynamic
Authorization Control List (DACL) in ISE that uses the posture status of the
client to determine when to redirect the client to the AnyConnect Client
Provisioning portal on ISE, and that DACL has been pushed to the ASA.

AnyConnect launches the
AnyConnect Downloader, which performs any upgrades, and initiates a VPN tunnel.

If ISE Posture was
not installed by the ASA, then

A user browses
to any site and is redirected to AnyConnect client provisioning portal on ISE
by the DACL.

If the browser
is Internet Explorer, ActiveX control launches AnyConnect Downloader. On other
browsers, the user downloads and executes Network Setup Assistant (NSA), which
downloads and starts the AnyConnect Downloader.

The AnyConnect
Downloader performs any AnyConnect upgrades configured on ISE, which now
includes the AnyConnect ISE Posture module.

The ISE Posture
agent on the client starts posture.

AnyConnect is Not
Installed

The user browses
to a site, which starts a connection to the ASA Clientless Portal.

The user
provides authentication credentials, which are passed to ISE, and verified.

AnyConnect
Downloader is launched by ActiveX control on Internet Explorer and by Java
applet on other browsers.

User browses to
a site again and is redirected to AnyConnect client provisioning portal on ISE.

On Internet
Explorer, an ActiveX control launches AnyConnect Downloader. On other browsers,
the user downloads and executes Network Setup Assistant, which downloads and
launches the AnyConnect Downloader.

The AnyConnect
Downloader performs any upgrades configured on ISE through the existing VPN
tunnel, which includes adding the AnyConnect ISE Posture module.

Disabling AnyConnect
Auto Update

It is possible to disable or limit AnyConnect automatic updates
by configuring and distributing client profiles.

In the VPN Client Profile:

Auto
Update disables automatic updates. You can include this profile with
the AnyConnect web-deployment installation or add to an existing client
installation. You can also allow the user to toggle this setting.

In the VPN Local Policy Profile:

Bypass Downloader
prevents any updated content on the ASA from being
downloaded to the client.

Update Policy offers granular control over software
and profiles updates when connecting to different headends.

Prompting Users to
Download AnyConnect During WebLaunch

You can configure the ASA to prompt remote users to start web
deployment, and configure a time period within which they can choose to
download AnyConnect or go to the clientless portal page.

Prompting users to download AnyConnect is configured on a group
policy or user account. The following steps show how to enable this feature on
a group policy.

Allowing Users to
Defer Upgrade

You can also allow users to defer client update until later by
setting Deferred Update. If Deferred Update is configured, then when a client
update is available, AnyConnect opens a dialog asking the user if they would
like to update, or to defer. Deferred Upgrade is supported by all Windows,
Linux and OS X.

Configure Deferred
Update on an ASA

On an ASA, Deferred
Update is enabled by adding custom attributes and then referencing and
configuring those attributes in the group policies. You must create and
configure
all
custom attributes to use Deferred Upgrade.

The procedure to add
custom attributes to your ASA configuration is dependent on the ASA/ASDM
release you are running. See the
Cisco ASA
Series VPN ASDM Configuration Guide or the
Cisco ASA
Series VPN CLI Configuration Guide that corresponds to your ASA/ASDM
deployed release for custom attribute configuration procedures.

The following attributes and values configure Deferred Update in
ASDM:

Minimum version of AnyConnect that must be installed for updates to be deferrable.

The minimum version check applies to all modules enabled on the head end. If any enabled module (including VPN) is not installed
or does not meet the minimum version, then the connection is not eligible for deferred update.

If this attribute is not specified, then a deferral prompt is displayed (or auto-dismissed) regardless of the version installed
on the endpoint.

DeferredUpdateDismissTimeout

0-300 (seconds)

150 seconds

Number of seconds that the deferred upgrade prompt is displayed before being dismissed automatically. This attribute only
applies when a deferred update prompt is to be displayed (the minimum version attribute is evaluated first).

If this attribute is missing, then the auto-dismiss feature is disabled, and a dialog is displayed (if required) until the
user responds.

Setting this attribute to zero allows automatic deferral or upgrade to be forced based on:

The installed version and the value of DeferredUpdateMinimumVersion.

The value of DeferredUpdateDismissResponse.

DeferredUpdateDismissResponse

defer update

update

Action to take when DeferredUpdateDismissTimeout occurs.

* The custom attribute values are case-sensitive.

Configure Deferred
Update in ISE

Procedure

Step 1

Follow this navigation:

Choose Policy > Results .

Expand Client Provisioning.

Select Resources, and click Add > Agent Resources from Local Disk.

Upload the AnyConnect pkg file, and choose Submit.

Step 2

Upload any other
AnyConnect resources you have created.

Step 3

On
Resources, add an
AnyConnect Configuration using the AnyConnect
package that you uploaded. The AnyConnect Configuration has fields to configure
Deferred Update.

Deferred Update
GUI

The following figure shows the UI that the user sees when an
update is available, and Deferred Update is configured. The right part of the
figure shows the UI when
DeferredUpdateDismissTimeout is configured.

Set the Update
Policy

Update Policy
Overview

AnyConnect software and profile updates occur when they are
available and allowed by the client upon connecting to a headend. Configuring
the headend for AnyConnect updates makes them available. The Update Policy
settings in the VPN Local Policy file determine if they are allowed.

Update policy is
sometimes referred to as software locks. When multiple headends are configured,
the update policy is also referred to as the multiple domain policy.

By default, the Update Policy settings allow software and
profile updates from any headend. Set the Update Policy parameters to restrict
this as follows:

Allow, or authorize, specific headends to update all AnyConnect
software and profiles by specifying them in the
Server Name
list.

The headend server name can be an FQDN or an IP Address. They
can also be wild cards, for example: *.example.com.

Authorized Server
Update Policy Behavior

When connecting to an authorized headend identified in the
Server Name
list, the other Update Policy parameters do not apply and the following occurs:

The version of the AnyConnect package on the headend is compared
to the version on the client to determine if the software should be updated.

If the version of the AnyConnect package is older than the
version on the client, no software updates occur.

If the version of the AnyConnect package is the same as the
version on the client, only software modules that are configured for download
on the headend and not present on the client are downloaded and installed.

If the version of the AnyConnect package is newer than the
version on the client, software modules configured for download on the headend,
as well as software modules already installed on the client, are downloaded and
installed.

The VPN profile, ISE Posture profile, and each service profile
on the headend is compared to that profile on the client to determine if it
should be updated:

If the profile on the headend is the same as the profile on the
client, it is not updated.

If the profile on the headend is different than the profile on
the client, it is downloaded.

Unauthorized Server
Update Policy Behavior

When connecting to an unauthorized headend, the
Allow ... Updates From Any
Server options are used to determine how AnyConnect is updated as
follows:

Allow Software Updates From
Any Server:

If this option is checked, software updates are allowed for this
unauthorized ASA. Updates are based on version comparisons as described above
for authorized headends.

If this option is not checked, software updates do not occur. In
addition, VPN connection attempts will terminate if updates, based on version
comparisons, should have occurred.

Allow VPN Profile Updates
From Any Server:

If this option is checked, the VPN profile is updated if the VPN
profile on the headend is different than the one on the client.

If this option is not checked, the VPN profile is not updated.
In addition, VPN connection attempts will terminate if theVPN profile update,
based on differentiation, should have occurred.

Allow Service Profile Updates
From Any Server:

If this option is checked, each service profile is updated if
the profile on the headend is different than the one on the client.

If this option is not checked, the service profiles are not
updated.

Allow ISE Posture Profile Updates From Any
Server:

If this option is checked, the ISE Posture profile is updated
when the ISE Posture profile on the headend is different than the one on the
client.

If this option is not checked, the ISE Posture profile is not
updated. ISE Posture profile is required for the ISE Posture agent to work.

Allow Compliance Module Updates From Any
Server:

If this option is checked, the Compliance Module is updated when
the Compliance Module on the headend is different than the one on the client.

If this option is not checked, the Compliance Module is not
updated. The Compliance Module is required for the ISE Posture agent to work.

Update Policy
Guidelines

Enable remote users to connect to a headend using its IP address
by listing that server’s IP address in the authorized
Server Name
list. If the user attempts to connect using the IP address but the headend is
listed as an FQDN, the attempt is treated as connecting to an unauthorized
domain.

Software updates include downloading customizations, localizations, scripts and transforms. When software updates are disallowed,
these items will not be downloaded. Do not rely on scripts for policy enforcement if some clients will not be allowing script
updates.

Downloading a VPN profile with
Always-On
enabled deletes all other VPN profiles on the client. Consider this when
deciding whether to allow or disallow VPN profiles updates from unauthorized,
or non-corporate, headends.

If no VPN profile is downloaded to the client due to your installation
and update policy, the following features are unavailable:

Service Disable

Untrusted Network Policy

Certificate Store Override

Trusted DNS Domains

Show Pre-connect Message

Trusted DNS Servers

Local LAN Access

Always-On

Start Before Logon

Captive Portal Remediation

Local proxy connections

Scripting

PPP Exclusion

Retain VPN on Logoff

Automatic VPN Policy

Device Lock Required

Trusted Network Policy

Automatic Server Selection

The downloader creates a separate text log (UpdateHistory.log)
that records the download history. This log includes the time of the updates,
the ASA that updated the client, the modules updated, and what version was
installed before and after the upgrade. This log file is stored here:

The following update sequence is possible when the client is
currently running AnyConnect VPN and Network Access Manager modules:

The client connects to seattle.example.com, an authorized server
configured with the same version of AnyConnect. The Web Security software
module is downloaded and installed, as well as the Web Security profile, if
available. If the VPN and Network Access Manager profiles are available for
download and different than the ones on the client, they will also be
downloaded.

The client then connects to newyork.example.com, an authorized
ASA configured with a newer version of AnyConnect. The VPN, Network Access
Manager, and Web Security modules are downloaded and installed. Profiles that
are available for download and different than the ones on the client are also
downloaded.

The client then connects to raleigh.example.com, an unauthorized
ASA. Since software updates are allowed, the VPN, Network Access Manager, Web
Security, and Posture modules are all upgraded. Because the VPN profile and
service profile updates are not allowed, they are not downloaded. If the VPN
profile could have been updated (based on it being different), the connection
will terminate.

AnyConnect Reference Information

Locations of User
Preferences Files on the Local Computer

AnyConnect stores some profile settings on the user computer in
a user preferences file and a global preferences file. AnyConnect uses the
local file to configure user-controllable settings in the Preferences tab of
the client GUI and to display information about the last connection, such as
the user, the group, and the host.

AnyConnect uses the global file for actions that occur before
logon, for example, Start Before Logon and AutoConnect On Start.

The following table shows the filenames and installed paths for
preferences files on the client computer: